September 15-19, 2019

Baltimore Marriott Waterfront
Baltimore, MD


Program Schedule

Conference participants are eligible to receive a maximum of 28 CPE credit hours. The Association of College and University Auditors (ACUA) is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE sponsors. State boards of Accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be addressed to the                                              National Registry of CPE Sponsors through its website: www.learningmarket.org.

Fields of study that qualify for Continuing Professional Education.

To download and print the AuditCon Program Schedule Matrix click here.
 

Sunday, Sept. 15th

Monday, Sept. 16th

Tuesday, Sept. 17th

Wednesday, Sept. 18th

Thursday, Sept. 19th

7:00 A.M. - 8:00 A.M.
Breakfast
8:00 A.M. - 8:10 A.M.
Opening Comments
8:10 A.M. - 9:25 A.M.
Keynote: The Pulse of Higher Education
Presenter(s): Howard Teibel, President, Teibel Education Consulting
The convergence of three things - demographic projections showing a decline in student enrollment for the next 10 years, the increasing lack of student affordability, and the underlying question of the value proposition - these three factors make the case to bring fundamental change to higher education. It’s easy to be overwhelmed, indifferent or resigned by these provocations.  How do you engage in these issues where there is no concrete solution? In this talk we will learn what it means to be change agents in our respective roles, bringing a disposition of openness to this uncertain future. We’ll dive into how authentic transformation is fueled by learning how to be in a different style conversation, one that is investigatory, thought-provoking, and allows us to think about the future in a mood of curiosity and shared concern.
 
After this session, participants will be able to:
  • Recognize moods that open and close possibilities for you and your team.
  • Distinguish between being a problem-solver versus navigating an emerging concern.
  • Give and receive feedback with more ease. 

Knowledge Level: Overview
Advanced Preparation: None
Field of Study: Personal Development
Prerequisites:  None
9:25 A.M. - 9:55 A.M.
Networking / Visit Exhibitors / Refreshment Break
9:55 A.M. - 10:55 A.M.
A1: Becoming a Trusted Advisor by Branding Your Audit Dept
Presenter(s): Michael Moody, Institute Auditor, MIT
Do you still hear outdated and common misconceptions of internal auditing from within your organization? Instead of ignoring the auditor jokes and allowing others to define your value, learn how to brand your services and promote your value to current and future clients. Understand that marketing your brand is an important step in becoming a value-added, trusted advisor.
 
After this session, participants will be able to:
• Explain why a brand is so important.
• Describe how to create your brand identity.
• Develop marketing tools and strategies to promote your brand.
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Communications and Marketing
Prerequisites:  None
 
9:55 A.M. - 10:55 A.M.
B1: Access Management - The First Line of Defense for Cyber security
Presenter(s): Carol Rapps, Asst Director Internal Audit, Information Systems, The University of Texas at San Antonio
 
The intent of the presentation is to provide participants with an understanding of access management discipline for cloud based systems.   For the purpose of this presentation, access management is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.  Using the presenters 30 years plus of IT auditing and IT management experience, the participants will have the opportunity to gain an understanding of and discuss the difference between cybersecurity and information security, why access management is the “first line” of defense in the cyber security environment, cybersecurity access control methodologies and how they differ from previous access management methodologies, and the roles of the organization's management, the cloud provider, internal auditors and external auditors in the management of access to cloud-based systems and data stores.
 
After this session, participants will be able to:
• Describe the types of access control systems/methodologies and how they are used to limit access to critical resources.
• Explain how identity and access management work together and how this is changed to address access to cloud based systems.
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Information Technology
Prerequisites:  None
 
 
9:55 A.M. - 10:55 A.M.
C1: Clery Act Compliance: “What Does It Mean?”
Presenter(s): Danielle Bundy, Director of Internal Audit, Colorado Community College System
David Summerlin, Internal Audit Senior Manager, Colorado Community College System

 
Compliance with the Clery Act is a hot topic within the Department of Education and recent fines for noncompliance have soared into the million-dollar range.  Compliance is complex and requires a whole institution approach.  In this presentation, you will learn the risks of noncompliance with the Clery Act and how to structure an audit to properly address risks.  Common areas of noncompliance and best practices will be explored using case studies.
 
After this session, participants will be able to:
• Develop an audit program guide for compliance with the Clery Act.
• Identify resources to use in a Clery audit.
• Recognize common areas of noncompliance and best practices.
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Specialized Knowledge
Prerequisites:  None
 
 
9:55 A.M. - 10:55 A.M.
D1: Fraud/Not Fraud
Presenter(s): Angela McCarter, Assistant Director, Office of Internal Audit, The University of Texas at Austin
Dyan Hudson, Director, Specialty Audit Services, The University of Texas System
 
When the numbers don’t add up….  When you know someone is lying….  When it just doesn’t “smell” right….  Fraud or not fraud?  In this presentation, we will use the elements of the fraud triangle to more clearly define the work we are performing -- is it an Investigation?  Is it a Review?  Is it just an Inquiry?  Through case studies, we will apply these definitions to decide:  Fraud/Not Fraud.
 
After this session, participants will be able to:
• Explain how to narrow the definition of "investigation" (versus what is an "inquiry" or a "review").
• Using the elements of the fraud triangle, determine which of the case studies were or were not fraud.
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Auditing/Behavioral Ethics
Prerequisites:  None
 
 
11:10 A.M. - 12:10 P.M.
A2: Accepting Unacceptable Risk: A Case Study
Presenter(s): Kimberly (Kim) Turner, Chief Audit Executive, Texas Tech University System
 
This session will be an interactive case study based on a real-life review of executive expenses with complex governance issues. We will review the IIA Standards on reporting and the auditor’s responsibility in cases where management chooses to accept risk.  Participants will engage in discussions about audit reporting, written and verbal, where sensitive information is involved, focusing on ways to maintain positive client relationships in the face of difficult circumstances. During the case study, we will work through the delicacies of situations such as where senior leadership does not take the recommended steps to address a situation.
 
 
 
After this session, participants will be able to:
• Explain the IIA Standards related to reporting and communication of excess risk.
• Build negotiation and communication skills.
• Demonstrate how to preserve positive working relationships under difficult circumstances.
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  None
 
11:10 A.M. - 12:10 P.M.
B2: The Third Line of Defense in Cybersecurity – Internal Audit and the UC Cybersecurity Audit Team
Presenter(s): Greg Loge, Systemwide Cybersecurity Audit Director, University of California
Matthew Hicks, Systemwide Deputy Audit Officer, University of California
 
This presentation will discuss the three lines of defense model, and how it can be applied to cybersecurity.  We will discuss how internal audit, as the third line has to evolve to address cybersecurity risks in its unique role as an independent function reporting directly to senior leadership and the board.   To address these ever-increasing and evolving threats, the University of California created a specialized team with cybersecurity expertise to lead cyber-focused internal audit projects across the University of California system.   The presentation will cover the creation of the internal audit cybersecurity audit team (CAT), structure, and its integration with the overall cyber risk efforts across UC, focusing on the unique role internal audit can play in driving positive change for improving cyber risk management.
 
After this session, participants will be able to:
• Explain how cybersecurity expertise within internal audit integrates into the overall cyber risk management approach for an organization.
• Describe how traditionally technical cybersecurity control focused reviews, such as penetration testing, can be incorporated into an internal audit project to reduce cyber risk and provide assurance to the board and senior leadership.
• Discuss how to build a cybersecurity subject matter team, performing work across an entire  system, including campuses and academic medical centers.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Auditing/Information Technology
Prerequisites:  None
 
11:10 A.M. - 12:10 P.M.
C2: Evaluating the University-Wide Compliance Function
Presenter(s): Eric Groen, Managing Director, Protiviti
Gates Garrity-Rokous, Vice President and Chief Compliance Officer, The Ohio State University
 
Compliance responsibilities in universities typically develop reactively, in response to new requirements or issues, while decentralized governance often leads such functions to develop differently and in silos.  Inadequacies within such a compliance silo, or failures occurring between them, often receive attention or resources only when something negative happens.  Efforts to improve through a focus on “ethics,” while well-intended, can further result in disconnected efforts and missed opportunities. The lack of a proactive, coordinated ethics and compliance program leaves an institution vulnerable to reputational harm as well as enforcement fines and penalties.  This session takes an in-depth look into evaluating the ethics and compliance function and providing recommendations for continuous improvement of the function.  We will discuss leading practices and components of effective ethics and compliance programs, and how to best align such programs with the unique culture and governance of an institution.  Finally, the session will address the important role of internal audit in evaluating and promoting an institution’s ethics and compliance program.
 
After this session, participants will be able to:
• Identify key benefits to developing centralized oversight of ethics and compliance activities through a programmatic approach.
• Evaluate existing ethics and compliance activities by learning the key attributes, practices and components of an effective ethics and compliance program.
• Develop key recommendations for improvement based on the evaluation to help improve the performance of a university’s ethics and compliance program.
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Management Services
Prerequisites:  None
 
11:10 A.M. - 12:10 P.M.
D2: SFA Fraud: How to Identify Fraud and Protect Your Institution
Presenter(s): Andrew Lee, Principal, CLA
Brenda Scherer, Signing Director, CLA
 
Fraud has become an everyday occurrence in the news and the student financial aid program seems to be an easy target. This session will cover how fraud can occur by covering some of the common schemes being perpetrated in the program. We’ll also discuss how to identify fraud and prevent it from occurring within your institution.

At the end of this session, you will be able to:
  • Gain an understanding of what fraud is
  • Understand the reasons for why fraud occur
  • Name the “top” frauds/schemes targeting higher education institutions
  • Explain the potential impact of fraud on an institution
  • Identify methods to prevent fraud in your institution
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  None
12:10 P.M. - 1:10 P.M.
Lunch
1:10 P.M. - 2:25 P.M.
General Session: The Diversity Difference and the Inclusion and Innovation Impact
Presenter(s): Menah Pratt-Clark, Vice President of Strategic Affairs & Diversity, Virginia Tech
 
In today's complex higher education landscape, diversity, inclusion, and equity are often connected to innovation and transformation.   Institutions are increasingly recognizing the value, importance, and necessity of implementing sustainable institutional transformation around diversity and inclusion.  This session will explore the challenges and opportunities around actualizing the value propositions associated with diversity, inclusion, and equity.  It will examine the "Diversity Difference" and the "Inclusion and Innovation Impact" in the higher education environment.
 
After this session, participants will be able to:
  • Describe the importance of diversity in higher education.
  • Explain the value of inclusion.
  • Discuss the opportunities and challenges associated with diversity.
 
Knowledge Level:  Basic
Advanced Preparation: None
Field of Study: Speclialized Knowledge
Prerequisites: None
 
2:40 P.M. - 3:40 P.M.
A3: Internal Audit and Information Security Working Together for ERM
Presenter(s): Mark Ruppert, Chief Auditor, Northern Arizona University
 
If risk assessment to develop an audit program is one level of maturity, building a University-wide Enterprise Risk Management approach to guide leadership decision-making including audit plan decisions is the wise old man.  We will discuss the NAU approach to building just that level of ERM, which while not yet so nicely aged, is well on its way.  Combining IA an IT Security resources to facilitate the effort has proven valuable to building executive and other leader interest and commitment in ERM, driving broader GRC system consideration and decisions to support ERM across the board, and developing an IA/IT relationship better than any I've enjoyed in my previous CAE roles.  Presentation will include approach to combined IA/IT Security involvement, ERM plan and approach, and successes and challenges in developing the child into an adolescent and the adolescent into an adult.
 
After this session, participants will be able to:
• Demonstrate how an established IA/IT Security Relationship can benefit your university.
• Apply an ERM approach focused on opportunities as well as challenges.
• Identify IA/IT Security Approaches to ERM.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Specialized Knowledge
Prerequisites:  None
 
2:40 P.M. - 3:40 P.M.
B3: GDPR in Higher Education - The Journey to Compliance
Presenter(s): Shane McQuitty, Associate Director, Protiviti, Inc.
Cathy Hubbs, Chief Information Security Officer (CISO), American University
Joel Wuesthoff, Managing Director, Robert Half Legal (Protiviti's Parent Company)
 
As the regulation went into effect on May 25, 2018, all applicable organizations are required to be in compliance with every GDPR requirement. With its extensive content and shift mandating a focus on protecting the individual as opposed to controlling organizational processes, many organizations are having challenges adopting GDPR’s requirements. This training will go through a refresher on what the regulation is (scope of applicable data, rights of the data subject, compliance requirements, etc.) but will mainly focus on a use case of one University’s journey to compliance, from a readiness assessment through to establishing and executing a roadmap to compliance.  Attendees should leave with lessons learned they can apply on their journey to compliance, including how to maintain it going forward.
 
After this session, participants will be able to:
• Define the key components of GDPR.
• Describe hurdles and lessons learned in performing the GDPR assessment and working towards compliance.
• Discuss the benefits of compliance and tips for maintaining compliance going forward.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  None
 
2:40 P.M. - 3:40 P.M.
C3: Responding to Foreign Influence Over Research on Campus
Presenter(s): Ashley Deihr, Director, Baker Tilly
Missy Peloso, Associate Vice President & Associate Vice Provost, University of Pennsylvania
 
Recent focus on the threat of foreign influence to U.S. national security has resulted in increased scrutiny of academic institutions, specifically the potential for theft of intellectual property through diversion from the peer review process or transfer of research results to foreign entities. You may have received information requests from a funding agency or even had a visit from the FBI! How do you know what to worry about, and how can internal audit help?  During this session, you will hear firsthand about the following challenges from an expert research administration leader:
- Federal agency disclosure requirements on foreign sources of support.
- Department of Education reporting requirements on foreign gifts/contracts.
- Risks of foreign talent programs (e.g., China’s “Thousand Talents Program”)
- Heightened awareness of foreign visitors to campus.
- Risk intersection with export controls.
 
After this session, participants will be able to:
• Identify, assess, and communicate risks.
• Perform targeted reviews of high risk areas or processes to provide assurance that controls are operating effectively.
• Perform continuous monitoring activities.
 
Knowledge Level:  Intermediate
Advanced Preparation:  None
Field of Study:  Specialized Knowledge
Prerequisites:  Experience in research auditing or administration
 
 
2:40 P.M. - 3:40 P.M.
D3: Academic Program Analysis/Contribution Margin Analysis – Internal Audit and BKD Partnering to Support Institutional Success
Presenter(s): Michelle Finley, Chief Audit Executive, Oklahoma State University and Agriculture and Mechanical Colleges
Joe Diaz, Assistant Chief Audit Executive, Oklahoma State University and Agriculture and Mechanical Colleges
 
In 2018, Oklahoma State University Institute of Technology (OSUIT) engaged BKD to perform a Contribution Margin Analysis project.  The project entailed gathering numerous data points, performing analysis and review, and entry into a data visualization tool, Tableau. Institutional leaders were able to view data and understand the information to select programs to “start, stop, sustain, or grow.” The Office of Internal Audit discussed the success of the project with OSUIT leadership and the Board of Regents and decided to partner with BKD and another institution to perform the same project. Internal Audit believes the results will enable leadership to assess academic and athletic program strengths and weaknesses. This presentation will outline the two case studies and walk through the Tableau tool used for both.  Additionally, the presenters will discuss the outcomes related to the projects and how Internal Audit was able to support institutional leadership in improving operations.   
 
After this session, participants will be able to:
• Describe how BKD provided institutional leadership with data visualization tools to evaluate programs to make better and faster decisions on which programs to "start, stop, sustain, or grow.”
• Discuss how the Office of Internal Audit effectively partnered with BKD on an additional project involving contribution margin analysis. 
 
Knowledge Level:  Intermediate
Advanced Preparation:  None
Field of Study:  Management Services/Computer Software & Applications
Prerequisites:  Experience with data analysis
 
3:40 P.M. - 4:10 P.M.
Networking / Visit Exhibitors / Refreshment Break
4:10 P.M. - 5:10 P.M.
A4: Untapped Resources: How Building Relationships Between IA and Faculty Can Increase Productivity
Presenter(s): Kara Kearney-Saylor, Director of Internal Audit, University at Buffalo
Lorrie Metzger, Clinical Assistant Professor, University at Buffalo
 
 
Learn how you can replicate UB's partnership between School of Management faculty and the Internal Audit department.  This successful partnership has led to class projects that successfully conducted multiple Information Technology audits with students performing test work;  designed data analytics covering areas such as pcards, duplicate payments, and travel expenses;  presented findings and recommendations to IT and Financial leadership; and built stronger ties between Information Technology, Finance & Administration, Internal Audit and Academic units    By implementing a similar program at your school, you can ensure more audit work is completed with minimal impact to your departmental resources.
 
After this session, participants will be able to:
• Build strong relationships with faculty.
• Develop student projects that can be mutually beneficial.
• Use data analytics covering areas such as pcards, duplicate payments, and travel expenses to build stronger ties between Information Technology, Finance & Administration, Internal Audit and Academic units.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Business Management & Organization
Prerequisites:  None
 
 
4:10 P.M. - 5:10 P.M.
B4: Auditing Social Media Effectively
Presenter(s): Ali Subhani, Director Audit Services, Texas Woman’s University         
Ray Khan, Senior Auditor, Texas Woman’s University         

 
With the increased integration of social media into our daily lives, we are far better connected than the generations from the past. However, this interconnectivity allows ‘news’ to spread around the world in seconds. What does this mean for your organization? Learn how you can evaluate whether your organization is effectively utilizing these emerging forms of communication while still having processes in place to minimize harm to the organization’s reputation.


After this session, participants will be able to:
  1. Identify the critical risks associated with the use of social media. 
  2. Describe the controls that can be implemented specific to social media.
  3. Perform an organizational review related to social media.
  4. Explain configuration settings that could personally impact your privacy as a social media use.  

Field of Study:  Auditing
Prerequisites:  None
Level of Study:  Basic
Advanced Preparation:  None

 
4:10 P.M. - 5:10 P.M.
C4: Internal Controls: Looking at Sponsored Research through the COSO Lens
Presenter(s): Albana Cejne, Assistant Director, Sponsored Research Audit, Princeton University
Christiana Oppong, Senior Auditor, Princeton University
 
Office of Management and Budget 2 CFR 200, also known as Uniform Guidance, establishes the administrative requirements, cost principles and audit requirements for federal awards. Uniform Guidance has placed an emphasis on internal controls and with that, it has charged institutions with the task of establishing and maintaining effective internal controls. In addition, Uniform Guidance refers to the COSO Internal Controls Framework as guidance for designing, implementing and conducting internal controls and assessing effectiveness. This session will discuss how the internal audit office can collaborate with the sponsored research offices to document the institutional internal controls. This session is designed to provide details on documenting the internal controls for sponsored research by applying the five components of the COSO model through different elements of the compliance supplements, such as allowability/allocability, subrecipient monitoring, procurement, reporting and so forth.

After this session, participants will be able to:
• Identify the internal controls expectations as listed on the Uniform Guidance and the institution’s responsibility of documenting such controls.
• Discuss sponsored research terminology such as allowability, allocability and reasonableness, including timeliness and documentation.
 
Knowledge Level:  Intermediate
Advanced Preparation:  None
Field of Study:  Auditing/Governmental Auditing
Prerequisites:  Education in accounting/auditing and Experience in sponsored research
 
4:10 P.M. - 5:10 P.M.
D4: Getting the Most Out of Your Hotline
Presenter(s): Will Hancock, Audit Manager, Auburn University
 
A well-managed hotline is an important element of an organization’s internal control environment and can provide valuable warning signs of fraud, misconduct, or other violations.  However, it should be implemented in a way that makes sense for your organization, it should be actively promoted, and it must be continuously managed.  How do you tell if you are getting the most out of your hotline?
This course will provide an overview of the various factors that should be considered when configuring a hotline, including the structure of the hotline, the methods of advertising the hotline, the roles of the various responders, and the need for policy to complement the hotline.  Participants will also have an opportunity to discuss various metrics to evaluate the effectiveness of a hotline.
 
After this session, participants will be able to:
• Identify key elements of hotline management and incident response.
• Develop an approach for effectively addressing hotline reports.
• Identify key metrics to evaluate hotline management.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Specialized Knowledge
Prerequisites:  None
 
 
5:15 P.M. - 6:30 P.M.
Networking Reception
Grab a quick refreshment and catch up with other attendees. You can discuss what you learned during the day, what you are looking forward to the rest of the week and most importantly make plans to go explore Baltimore the rest of the evening.  
 
7:00 A.M. - 8:00 A.M.
Breakfast
8:00 A.M. - 8:05 A.M.
Opening Comments
8:05 A.M. - 9:25 A.M.
Keynote: Proven Techniques to Increase Internal Audit's Value
Presenter(s): Ann Butera, President, The Whole Person Project, Inc.
 
Given the rate of change and as the complexity of higher education intensifies, the actions that have made you successful to date may not work tomorrow. Consequently, the ability to create value and turn new challenges into advantages is critical. The objective is to identify and deliver what is currently valuable to your constituents. During this keynote session, Ann M. Butera, CRP, President of The Whole Person Project, Inc. will explain innovative ways you and your internal audit team members can add value to your organization.
 
After this session, participants will be able to:
  • Define "value" and the attributes of value-added auditing.
  • Leverage methods that other auditors have used to add value to their organizations.
  • Use the Critical LinkageTM to focus on value-added opportunities.
  • Communicate ideas and results in a way that demonstrate the value your department provides.
 
Knowledge Level:  Basic
Advanced Preparation: None
Field of Study: Auditing
Prerequisites: None
 
9:20 A.M. - 9:50 A.M.
Networking / Visit Exhibitors / Refreshment Break
9:50 A.M. - 10:50 A.M.
A5: Annual Risk Assessment and Audit Planning
Presenter(s):

Sharon Kurek, Executive Director of Audit, Risk, and Compliance, Virginia Tech
Michael J. Moody, Institute Auditor, MIT

Patricia Snopkowski, Chief Executive Audit, Risk and Compliance, Oregon State

Auditing complex and diverse institutions of higher education can be overwhelming!  How do we handle the challenges encountered when performing the university risk assessment?  Higher education has been dealing with governance changes, resource constraints, changing laws and regulations, etc. – so the task of keeping current and addressing the broad scope of our universities has become increasing complex.  This interactive session will share lessons learned from three different universities on approaches to performing the annual risk assessment and developing the audit plan.
 
9:50 A.M. - 10:50 A.M.
B5: Cybersecurity Emerging Trends for Colleges and Universities
Presenter(s): Tony Hubbard, Principal, KPMG
 
Colleges and universities are facing increased cybersecurity risk. As a key member of government and industry supply chains, colleges and universities need to have controls and processes in place to support these supply chain stakeholders. These challenges are magnified by the ever emerging cyber security and technology risks and high demand for cybersecurity professionals. Join this session to learn more about how colleges and universities can maintain a proactive cybersecurity program to not only help comply with government requirements (e.g., NIST 800-53 and 171), but to also highlight their cyber security capabilities as a differentiator for their branding efforts. Also learn about how automation techniques can be applied to help deal with the high demand for cybersecurity professionals. We will also discuss the applicability of increased cybersecurity risks to the audit programs supporting colleges and universities.
 
After this session, participants will be able to:
• State cybersecurity emerging trends, notably automation of cyber and technology processes.
• Explain compliance requirements colleges and universities need to address, notably NIST 800-53 and 800-171.
• Identify risks colleges and universities face in their technology and cyber supply chains (and as a supply chain provider).
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Information Technology
Prerequisites:  None
 
9:50 A.M. - 10:50 A.M.
C5: Research Compliance in a Decentralized Environment
Presenter(s): Michael Bowers, Associate Director, Audit Division, MIT
Vesna Zaccheo, Audit Services Manager, MIT
Kallie Firestone, Senior Compliance Specialist, MIT
 
Through a case study of the MIT Audit Division’s role in research compliance and how the Division differentiates between traditional internal audits and compliance consulting programs, attendees will become familiar with the Research Administration Compliance Program, which provides guidance and monitoring to MIT’s Departments, Laboratories, and Centers (DLCs) management relative to post award sponsored research administration and other fiduciary responsibilities. 
 
After this session, participants will be able to:
  • Describe MIT Audit Division’s role in research compliance and how the Division differentiates between Process Audits and Departmental Site Visits (post award compliance monitoring audits).
  • Identify methods being used to assist DLCs in managing their compliance responsibilities.
  • Explain the growing role of data analytics in post award administration.
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  None
 
 
9:50 A.M. - 10:50 A.M.
D5: Don't Let Conflicts of Interest Corrupt Your Culture
Presenter(s): Justin Noble, CIA, MBA, Assistant Chief Audit Executive, Texas Tech University System
Most of us want to work with people we know and trust. On one hand, this makes the workplace enjoyable. On the other hand, hiring your spouse and paying him/her more than others in similar positions can kill morale.  Businesses must be careful when employing and/or doing business with friends, family members and acquaintances.
 
After this session, participants will be able to:
• Identify and describe various types of conflicts.
• Discuss the operating environment and factors that make it more susceptible to conflicts.
• Evaluate oversight process and test conflict monitoring mechanisms.
 
Knowledge Level:  Intermediate
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  One year internal audit experience
 
 
11:05 A.M. - 12:05 P.M.
A6: Actionable Advice for Negotiation
Presenter(s): Bryan Paine, Senior Associate, RSM US LLP
 
In any engagement, there are a lot of moving parts to juggle. Even if you have the best intentions, it’s easy to become distracted by the motivations and agenda of your client, thus extending timelines and delaying progress. This one-hour session aims to cover the basic elements of negotiation during an engagement and provide you with the tools you need to be heard, overcome objections, and close engagements with fewer “edits.”
 
After this session, participants will be able to:
• Define stages and elements of the negotiation process.
• Develop techniques of a successful negotiator.
• Identify optimal value add solutions during an engagement.
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Personal Development
Prerequisites:  None
 
11:05 A.M. - 12:05 P.M.
B6: IT Audit Demystified
Presenter(s): Ivy Finglas, IT Audit Manager, University of New Hampshire
 
This presentation is designed for business auditors and or junior IT auditors who would like to learn more about IT Audit.  First, we will cover how your business auditing skills can be harnessed in IT auditing as well as the importance of business data and the alignment to the underlying computing resources.  Then we will discuss how to research an IT audit, plan, scope, pick the right controls to test using general controls as a baseline and the key resources that will help you design a robust audit program for the area you are reviewing.  We will discuss controls that should always be part of an audit and why they are important.  We will use examples as necessary.  We will cover how to gain confidence in this craft to continuously improve your IT audit and security skills and learn new skills through practical application.  Time permitting, we will talk about cybersecurity and how that fits into the IT Auditors daily life.
 
After this session, participants will be able to:
• Explain the alignment between IT audit and business auditing.
• Discuss how to properly research any IT audit.
• Discuss types of controls to test with examples.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Information Technology
Prerequisites:  None
 
11:05 A.M. - 12:05 P.M.
C6: Navigating Civil Rights Compliance
Presenter(s): Danielle Bundy, Director of Internal Audit, Colorado Community College System
David Summerlin, Internal Audit Senior Manager, Colorado Community College System
 
 
How can we help ensure our institutions are compliant with Federal civil rights laws?  In this presentation, you will learn how to develop an audit program guide to identify common areas of noncompliance in policies and procedures as well as common structural issues that may prevent a student with a disability from meaningfully completing a program.  Common areas of noncompliance and best practices will be explored using case studies.
 
After this session, participants will be able to:
• Develop an audit program guide for compliance with Federal civil rights laws
• Identify resources to use in a civil rights compliance audit
• Recognize common areas of noncompliance and best practices
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Specialized Knowledge
Prerequisites:  None
 
 
11:05 A.M. - 12:05 P.M.
D6: Gift Acceptance: Balancing the Institution’s Mission with Donor Intent
Presenter(s): Kimberly Macedo, Senior Manager, Baker Tilly
Rob Carter, Director of Internal Audit & Management Analysis, Baylor University
 
 
Donations provide critical support to the overall operations of colleges and universities and the overall mission of the institution. As recipients of donor gifts, colleges and universities must strive to uphold the core principles of academic independence along with maintaining quality donor cultivation and stewardship activities. This includes assessing gift agreement language for potential conflicts with the institution’s mission, such as a public commitment to protect the scholarly freedom and to ensure an open academic climate. Our presentation will provide first-hand knowledge with helping colleges and universities gain greater insight and visibility into the gift acceptance process, specifically highlighting academic independence considerations.  We will share experiences and perspectives on how to add value to an institution through the development of escalation considerations for gift agreements that require additional reviews, standard gift agreement templates and language, and gift agreement policy considerations.
 
After this session, participants will be able to:
• Learn how to develop gift acceptance policies and procedures to ensure a balance between academic enterprise and donor engagement.
• Share leading practices related to policy principles and potential escalation criteria that would lead to additional review of gift agreements based on specific flags and thresholds.
• Offer ideas for how to establish on-going analysis and assessment of gift acceptance policies and procedures.
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  None
 
12:05 P.M. - 1:35 P.M.
LUNCH/Awards & Officer Transition
1:35 P.M. - 2:50 P.M.
General Session: When Culture & Crisis Collide: The Anatomy of a Great Big Mess
Presenter(s): Leigh Goller, Chief Audit, Risk & Compliance Officer, Duke University & Health System
 
Duke University recently settled a federal lawsuit brought forward by a whistleblower.  In addition to the $112.5 million cost of settlement, Duke has spent the last six years investigating and evaluating what happened, how it happened, and the impact the misconduct has had on culture, business processes and assurance programs.  This session will describe what happened, highlight how culture and crisis have influenced Duke, and describe the role internal audit and compliance assurance has played before, during and after the events.  Although the whistleblower case was focused on research misconduct, this session will emphasize how personnel misconduct in general can have significant impact on the institution and how assurance programs can provide insight to leaders on organization structure and business process improvements, and serve to help repair the damage done (and maybe prevent the ones that have not happened yet).
 
After this session, participants will be able to:
  • Evaluate strengths and weaknesses in the “speak up” culture.
  • Raise awareness of what whistleblowers may know about your institution.
  • Design internal audit strategies that align with organizational risk for misconduct.
  • Identify potential root causes for personnel misconduct.
  • Understand the organizational impact and recovery related to misconduct.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Behavioral Ethics/Specialized Knowledge
Prerequisites:  None
 
2:50 P.M. - 3:15 P.M.
Networking / Refreshment Break
3:15 P.M. - 4:15 P.M.
A7: Risk Partners: Integrating Audit, Risk, & Compliance
Presenter(s): Carrie Frandsen, Systemwide ERM Program Manager, University of California
Peter Cataldo, Associate Audit Director, University of California – Office of the President
 
Learn how the University of California coordinated its risk management, internal audit, and compliance functions to more effectively support leadership and the board in managing the University’s risks. Co-presenters Carrie Frandsen and Peter Cataldo will discuss how the University of California developed a “risk partners” approach. They will provide an overview of why they developed this approach, the challenges and successes the University encountered, and examples of the risk assessment methods they use. The session will conclude with an inter-active survey and discussion on collaborative risk assessment strategies, including the recognition of inherent challenges and best-practices in elevating a campus’ risk management capability.
 
After this session, participants will be able to:
• Learn how roles and responsibilities for risk assessment and monitoring are defined and effectively communicated to stakeholders;
• Attain information on how to integrate risk and compliance governance into management planning and decision making, as well as communicate timely and accurate risk information to the appropriate individuals;
• Understand the methodology and mechanisms used to identify risks in a multi-campus environment and the process utilized to develop annual work plans;
• Recognize barriers to effective collaboration and identify practical solutions to forming successful partnerships
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Business Management & Organization
Prerequisites:  None
 
3:15 P.M. - 4:15 P.M.
B7: Responding to Risk in an IoT World
Presenter(s): Matt Unterman, Principal, Higher Education Advisory Services, Grant Thornton LLP
Seth Kornetsky, Executive Director, Audit & Management Advisory Services, Tufts University
Jake Johnson, Cyber Risk-Experienced Manager, Grant Thornton LLP
IoT is impacting your organization right now whether you're aware of it or not.  Devices are becoming smarter with IoT use in organizations  only increasing.  Everything from light bulbs, to temperature sensors, to personal devices are finding their way into organizations' networks often without considering the risks associated with it. Fundamental challenges pertaining to governance and network security associated with IoT exist and take time and effort to first identify the risks, and then develop solutions to effectively manage them. But the first step is gaining visibility into IoT devices uses and purposes.  Audit organizations need to be prepared to face this challenge and be positioned to respond to it.
 
After this session, participants will be able to:
• Describe what IoT is and trends for adoption.
• List common IoT threats and where organizations typically struggle in managing them.
• Describe how audit organizations can add value in IoT adoption and leading practices for conducting IoT internal audits.
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Specialized Knowledge
Prerequisites:  None
 
 
3:15 P.M. - 4:15 P.M.
C7: Congratulations, You've Been Selected for an NSF Incurred Cost Audit! What the NSF Auditors are Looking For and How Internal Audit Can Help Prepare For a Successful Outcome
Presenter(s): Lynn Gonzalez, Senior Auditor, Oregon State University
Megan Mesko, Partner, Cotton & Company LLC
 
Many institutions have experienced an NSF performance audit of incurred costs, but have you heard tales from the other side? This presentation will feature the insights into the audit process, institutional challenges, and most commonly seen red flags from the perspective of an external auditing agency frequently contracted by NSF. The presenters will also review the results of a university’s current incurred cost audit as well as lessons learned and improvements made to policies and processes during the course of the audit. We will also share meaningful ways in which the internal audit function may assist in preparing your institution for a successful audit outcome. This presentation will also detail the newly adopted format for future incurred cost audits.
 
After this session, participants will be able to:
• Identify the most common challenges for grant management NSF auditors observe while conductng audits.
• Discuss red flags external auditors observe and the most common disallowed costs.
• Review Oregon State University’s audit results and how improvements to policies/processes were made during the audit.
• Describe ways in which internal audit may assist in preparing your institution for a successful outcome.
• Review the new format for incurred cost audits.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Auditing/Govermental Auditing
Prerequisites:  None
 
 
3:15 P.M. - 4:15 P.M.
D7: Developments in Tax Reform and State and Local Tax Matters - Where Should an Internal Auditor Focus
Presenter(s): Raymond Ly, Sr. Manager, Tax (Development and Exempt Organizations), KPMG LLP
Jonathan Weinberg, Tax Senior Manager, KPMG LLP
 
During this session we will discuss and identify Post-Tax Reform Risk Areas applicable to colleges and universities (UBIT Bucketing, Transportation Fringe Benefits, Excise Tax on Executive Compensation).  A discussion of the developing higher-ed sales tax nexus challenges in a post-Wayfair world will also be included.
 
After this session, participants will be able to:
• Recognize developing exposure areas and issues related to federal and state tax compliance associated with Tax Reform.
• Design institutional audit plans and projects to identify and mitigate risk areas associated with federal and state tax compliance.
 
Knowledge Level:  Update
Advanced Preparation:  None
Field of Study:  Taxes
Prerequisites:  Education and experience in federal and state tax
 
 
4:30 P.M. - 5:30 P.M.
A8: Our Triumphs and Challenges Using Agile Auditing Principles
Presenter(s): Lisa Nykolyshyn, Associate University Auditor, University of Alberta - Edmonton
 
Are you interested in employing “agile auditing” in your audit department but you are not quite sure where to start? Come and listen to the University of Alberta’s triumphs and challenges over the past year as we learned to apply key agile auditing principles. Hear how it has led to more responsive audit plans, made auditors more confident in their audit approach for complex audits, and helped clients and the Board feel more engaged throughout each audit. The University of Alberta's Internal Audit Services department is happy to share the lessons learned during the first year of its journey after embracing this more nimble way of managing audit projects.
 
After this session, participants will be able to:
• Describe the goals of agile auditing.
• Apply key agile auditing principles.
• Identify the importance of regular reflection in terms of improving audit agility.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  None
 
4:30 P.M. - 5:30 P.M.
B8: Conducting an Incident Response from a Digital Forensics Standpoint
Presenter(s): Damon Hacker, President & CEO, Vestige Digital Investigations
 
This presentation will look at the methodologies and techniques for conducting an incident response from the perspective of a forensic examiner. It looks at some foundational items such as why an IR examination is conducted, the kinds of evidence that are helpful, and legal and practical implications from a forensic standpoint. We explore the necessity of preserving evidence, tools & techniques for analyzing and interpreting the data and how to bring it all together into a process.
 
After this session, participants will be able to:
• Demonstrate how Forensic Examiners approach Evidence specific to cybersecurity incidents.
• Explain practical steps and tools that you can use to conduct a response.
• Discuss exposure Tips, Tricks & Traps when conducting an Incident Response.
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  None
 
 
4:30 P.M. - 5:30 P.M.
C8: Tales from the Trenches: Lessons Learned about Auditing Research
Presenter(s): Toni Stephens, Chief Audit Executive, The University of Texas at Dallas
 
Once upon a time, universities began doing research.  Researchers brought in lots of money to the universities.  Regulators began enacting laws to govern the research funds.  Auditors were brought in to provide assurance that these funds were being effectively managed and funds were being spent in accordance with these laws.  Research is not only one of the highest risks at a university, it’s one of the most valuable audits on the audit plan.
 
After this session, participants will be able to:
• Identify common research risks.
• Demonstrate audit procedures for common research risks on campus.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  None
 
 
4:30 P.M. - 5:30 P.M.
D8: Student Recruitment and Tuition Remission-Assessment Tools and Strategies for Auditors
Presenter(s): David Terry, Director of Internal Audit, Portland State University
 
This session is designed to help auditors that have limited to no experience auditing remissions and student recruitment practices to obtain industry knowledge and resources to successfully tackle an audit of this area.  David will provide you insights into analytical and detailed testing procedures for your audit team to consider when auditing remission programs.  In addition, this training module is designed to provide you with resources for how to benchmark your institution’s student recruitment efforts to industry practices and steps to consider when analyzing student recruitment data.  Moreover, David will provide examples of fraud risks for your audit team to consider when reviewing remissions and recruitment efforts.
 
After this session, participants will be able to:
• Identify strategies to analyze student recruitment.
• Discuss industry best practices for student recruitment.
• Apply internal controls to help mitigate financial risks related to remissions including controls to mitigate fraudulent remissions.
 
Knowledge Level:  Intermediate
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  Experience in Financial Aid and SEVIS Reporting Terminology
 
7:00 P.M. - 10:00 P.M.
Evening Event / Networking
Hangout on the Harbor!
Barcocina - 1629 Thames St., Baltimore, MD 21231

Just steps from the hotel, Barcocina is one of Fell’s Point hottest new restaurants. ACUA attendees are invited to enjoy Baltimore inspired Mexican cuisine, drinks and games on the harbor. While networking with other attendees you can play oversized battleship, corn hole, connect four and take your chance at hitting golf balls onto a green in the middle of the harbor… do not worry the golf balls disintegrate in the water and are filled with fish food for all the harbors sea life! So if you can’t make it to the golf green you’re feeding the Baltimore harbor underwater residents.
 
 
 
7:00 A.M. - 8:00 A.M.
Breakfast
8:00 A.M. - 9:15 A.M.
A9: Climbing the Ranks: Best Practices for Preventing Fraud and Misreporting in Admissions and Institutional Data
Presenter(s): Christopher Garrity, Director of Internal Audit, Saint Joseph's University
Adrienne Larmett, Senior Manager, Baker Tilly
Loretta Maguire, Director of Internal Audit, The College of New Jersey
 
College and university admissions practices have recently come under fire. Whether due to the largest known admissions scam ever prosecuted by the US Department of Justice, where at least 50+ people are accused of cheating by reporting falsified data to gain admissions into elite institutions, or to institutions struggling to fill incoming classes, processes to admit students are gaining increased attention.  Colleges and universities collect and report out on a variety of statistics related to incoming students. Inaccurate data reporting, whether intentional or not, can lead to a misrepresentation of the institution. In addition, misreported data can result in loss of accreditation and/or the removal of the school’s name in college rankings and/or guidebooks, which has a direct impact on its ability to recruit new students. Join this session to learn how internal audit can aid colleges and universities in addressing the risks associated with admissions and institutional data reporting.
 
After this session, participants will be able to:
• Define the admissions and data reporting landscape and processes.
• Identify how and why fraud and misreporting occur, and their impacts on an institution.
• Develop approaches for evaluating controls over admissions and data reporting.
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Business Management & Organization
Prerequisites:  None
 
8:00 A.M. - 9:15 A.M.
B9: Major System Implementations – How Auditors Engage For Success
Presenter(s): Mike Cullen, Senior Manager, Baker Tilly
Carolyn Devine Saint, University of Virginia
Goli Trump, Montgomery College
 
Student success, fiscal responsibility, and business process innovation are all critical goals for higher education institutions. As such many institutions are investing in new technology systems to help meet those goals. These major system implementations are full of risks. Internal Auditors can play a key role helping your institution identify, manage, and report on risks related to these major initiatives. Learn how to engage you and your team for success in this area.
 
Join us for discussion with a panel of higher education professionals where you will interact with the panel through interactive polling and Q&A.
 
After this session, participants will be able to:
• Describe how auditors can engage stakeholders on major systems implementations.
• Benchmark your institution via real-time interactive polling on panelist and audience driven questions.
• Discuss lessons learned from panelists who have been engaged on major systems implementations.
 
Knowledge Level:  Intermediate
Advanced Preparation:  None
Field of Study:  Information Technology
Prerequisites:  Experience in auditing higher education systems/applications or the processes they support
 
8:00 A.M. - 9:15 A.M.
C9: Using Data Analytics and Visualization to Manage Sponsored Project Risk
Presenter(s): Erin Baker, Data Analytics Program Manager, The University of Texas System
Dyan Hudson, Director, Specialty Audit Services, The University of Texas System
 
Our universities may have hundreds, or possibly thousands, of sponsored research projects underway at any given time.  How do we know where our audit resources are of most value?  As with most things, look in the data!  This session will highlight “Top 10” sponsored research risks, and how analytics and visualization can be used to identify the highest risk projects (and PIs).  IDEA and Tableau will be used to demonstrate how one university’s sponsored research office has taken the analytics and visualizations developed by internal audit, and deployed them for regular use in monitoring sponsored research projects across campus.
 
After this session, participants will be able to:
• Explain risks related to sponsored project management and monitoring.
• Identify examples of data analytics methods to measure sponsored project risk.
• Discuss visualizations useful in highlighting high risk projects.
 
Knowledge Level:  Intermediate
Advanced Preparation:  None
Field of Study:  Specialized Knowledge
Prerequisites:  Experience in auditing sponsored projects
 
8:00 A.M. - 9:15 A.M.
D9: What the Heck is Analytics and Why Do I Care?
Presenter(s): Trevor Hughes, Senior Auditor for Data Analytics, Virginia Tech
 
To some auditors, analytics is a semi-mysterious term used to describe statistical and probability based approaches to evaluating data.  That's certainly one answer.  To other auditors, analytics is the black art of obtaining and organizing data for more traditional audit efforts.  That is yet another answer.  The reality is that those, along with many other aspects are all correct answers, and that the correct answer varies by application.  This presentation intends to assist auditors in understanding what analytics mean within their environment, how to identify an appropriate level of analysis, and how to apply higher level analytical tools and methods.  The presentation includes practical examples and demonstrations of analytical tools and techniques.
 
After this session, participants will be able to:
• Explain what analytics are and are not.
• Describe applications for analytics.
• Identify opportunities where applying analytics can make your audits more efficient or effective.
 
Knowledge Level:  Intermediate
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  Experience in Data Analytics
 
9:30 A.M. - 10:45 A.M.
A10: What's Up with Accounting Standard Setters
Presenter(s): Sue Menditto, Senior Director, Accounting Policy, NACUBO
 
This session will provide a roundup of key accounting changes (GASB and FASB) and help internal auditors understand the reason behind proposed and new changes. Since most ACUA members are from public institutions, at least 60 percent of the time will cover GASB and its "Big Three Projects." The Big Three are financial reporting changes, revenue and expense recognition, and financial statement disclosures.  FASB items will focus on reporting model implementation discoveries, and grants and contracts. Department of Education proposals that involve accounting information will also be addressed.
 
After this session, participants will be able to:
• Explain GASB proposals' impact on Higher Education.
• Discuss changes in revenue recognition.
• Explain what FASB has on the horizon.
 
Knowledge Level:  Intermediate
Advanced Preparation:  None
Field of Study:  Accounting
Prerequisites:  Education
 
9:30 A.M. - 10:45 A.M.
B10: IT Auditors and Directors Roundtable
Presenter(s): Barry White, Director Information Technology Auditing, Johns Hopkins Institutions
John O’Brien, President/CEO, EDUCAUSE
 
 
This roundtable provides an open forum for directors and technical auditors to discuss issues pertinent to the higher education information systems auditing arena.  IT Auditors are regularly challenged as new technologies present new risks.  Registrants will be surveyed for discussion topics in the weeks prior to the conference.  Recent roundtables have included lively and insightful discussion on information technology risk assessment and mitigation.
 
After this session, participants will be able to:
• Discuss IT risks including cybersecurity, 3rd party contracts, phishing attacks, mobile device management, web security.
• Prioritize IT risks in your own shop and develop an effective audit plan.
• Develop a list of peer contacts for future networking.
 
Knowledge Level:  Intermediate
Advanced Preparation:  None
Field of Study:  Information Technology
Prerequisites:  Experience
 
 
9:30 A.M. - 10:45 A.M.
C10: Compliance Considerations Introduced by the Revised Federal Policy for the Protection of Human Subjects (Common Rule)
Presenter(s): Megan Kasimatis Singleton, Assistant Dean, Human Research Protections and Director of the Human Research Protections Program, Johns Hopkins University School of Medicine
 
Ending five and a half years of rulemaking and speculation, the US Department of Health and Human Services (HHS) and 15 other Federal Agencies released a final revision of the Federal Policy for the Protection of Human Subjects, or "Common Rule," on January 19, 2017. These are the first revisions to the Common Rule since it was promulgated in 1991. What specific changes to the Common Rule have been incorporated in the new rule? What are the implications of these revised regulations for IRBs and Human Research Protections Programs? What changes should internal auditors and others responsible for providing research compliance assurance be aware of that have been made to administrative processes and procedures to promote compliance with the new federal policy? This session will provide an overview of the revised regulations, allowing participants to not only learn about the changes to the Rule but also which areas of focus should be included when conducting research compliance assurance reviews of this important area.
 
After this session, participants will be able to:
• Describe the major changes included in the new rule.
• Identify areas in IRB operations and administration that have been changed that internal auditors should be aware of.
• Discuss the key research compliance risk areas that internal auditors or others responsible for compliance assurance should focus on when conducting reviews.
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Specialized Knowledge
Prerequisites:  None
 
9:30 A.M. - 10:45 A.M.
D10: Make Your Audits More Relevant-Capitalize on ERM!
Presenter(s): John Kiss, Director, Baker Tilly
Sharon Kurek, Executive Director of Audit, Risk, and Compliance, Virginia Tech
Patricia Snopkowski, Chief Executive of Audit, Risk and Compliance, Oregon State University
Joanna Rojas, Director, University Audits, Duke University
 
In early 2019, Baker Tilly engaged CAE's from seven leading universities to understand their ERM programs and discuss how that was affecting their internal audit program. The seven institutions are in different phases of fully implementing ERM. We would share the key takeaways from this process, in areas such as:
• Streamlining the risk assessment process
• Developing actionable risk mitigation plans
• Monitoring progress on risk mitigation
• Leveraging the ERM risk assessment for internal audit planning
• Transitioning internal audit to address ERM risks.
This presentation would include the CAE's from at least two of those institutions who would provide case studies addressing:
• How they helped get the ERM program established,
• How ERM is evolving,
• How they are focusing on risk mitigation, and finally 
• How the role of internal audit is changing.
 
 
After this session, participants will be able to:
• Discuss how to get ERM started.
• Discuss recent developments in ERM, such as better risk mitigation.
• Transform internal audit into a role providing positive assurance on risk mitigation.
 
Knowledge Level:  Intermediate
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  Experience in Enterprise Risk Management
 
10:45 A.M. - 11:10 A.M.
Networking / Refreshment Break
11:10 A.M. - 12:25 P.M.
Keynote: The State of Digital Ethics in 2019: Excitement, Caution and Hope
Presenter(s): John O'Brien, President/CEO, EDUCAUSE
 
 
Ethical concerns related to technology innovation are hardly new. Today, however, the hype around educational technology innovation often masks nuanced, powerful, and sometimes grave ethical entanglements. With weekly headlines about ethical ramifications of emerging technologies and the appearance of privacy near the very top of the EDUCAUSE Top 10 IT Issues for 2019, concerns about digital ethics are likely to intensify. In this keynote, John O’Brien will make the case for excitement, caution, and hope in this exceedingly challenging landscape--with higher education potentially leading the way.
 
After this session, participants will be able to:
  • Identify at least half a dozen concrete areas of substantive ethical concern.
  • Identify several actions they can take to address ethical concerns on their campus.
  • Comprehend the role their campus can and will play in the area of digital ethics.
 
Knowledge Level:  Basic
Advanced Preparation: None
Field of Study: Information Technology
Prerequisites: None
 
 
1:00 P.M. - 3:00 P.M.
ACUA Gives Back - Filbert Street Community Garden
SEPERATE REGISTRATION REQUIRED! 
This year the Host Committee has selected to volunteer at the Filbert Street Community Garden. 
 
Filbert Street Community Garden was founded in 2010 as part of the City of Baltimore's Adopt-a-Lot Program. The one acre plot was overgrown and full of trash. Various projects and volunteers have came and gone, but their objectives remain the same: recreation, education and supporting urban wildlife. 
For more information visit: http://filbertstreetgarden.org/.
Filbert Street Garden is located at: 1317 Filbert St, Baltimore, MD 21226

ACUA volunteers will assist with tending to the garden and the animals - so make sure you dress ready to get dirty. Closed toed shoes are recommended. 

To register to volunteer please click here: https://www.surveymonkey.com/r/ACUAGivesBack2019
Registration for the volunteer activity will cut off on September 17, 12:00 PM EST. 

Please note the following:
- The garden does have a hive of honeybees in the garden. If you are allergic, please be aware you will be near bees. 
- Transportation to/from the garden IS NOT provided. Volunteers should plan to carpool/uber/taxi to and from the garden at their own cost. 
- This volunteer activity requires at least 10 people to participate, if that number is not meant you will be notified. 
- This volunteer activity can only accept a maximum of 25 people, first come first serve. If you must cancel, please let the ACUA Executive Office know immediately. 
 
1:30 P.M. - 5:00 p.m.
Optional Networking Activities
There is plenty to see and do during your time in B’more city! The Baltimore Host Committee has scheduled networking activities for your enjoyment.
 
National AquariumSee the world from below the surface!
1:30 PM – Meet in the Hotel Lobby
Michele Evans will be leading a group to the National Aquarium to see one of the nation’s top aquariums. Tickets are available for $39.95 and can be purchased by clicking here: https://www.aqua.org/Tickets?date=09/18/2019 or they can be purchased when you arrive at the aquarium (select the afternoon 1:30 pm time slot). Please sign up here (link: https://www.surveymonkey.com/r/AuditCon19RSVP) before Friday, September 13 so we know how many people will be going with the group.
 
Harbor Cruise
3:00 PM – Meet in the hotel lobby at 2:15 pm
Nikki Pittman will be taking a group on a harbor cruise to see Baltimore by boat! Step aboard Annapolitan II for a 45-minute cruise introducing Baltimore, its history and the renaissance of the Inner Harbor. Baltimore Harbor Cruises are a fun take on a city of Baltimore tour. See Federal Hill, Fell’s Point and Ft. McHenry from the decks of a climate controlled vessel with beverage and snack bar plus other amenities. Tickets are $19 and should be purchased in advance online here: https://watermarkjourney.starboardsuite.com/e/baltimore-harbor-cruise-15533. Select the 3:00 pm cruise time. Please sign up here (link: https://www.surveymonkey.com/r/AuditCon19RSVP) Friday, September 13 so we know how many people will be going with the group.
 
 
1:30 P.M. - 3:10 P.M.
Optional Bonus Session 1A: Delivering Value: Comparing Two Philosophies
Presenter(s): Kelsey Bahadursingh, Assistant Director, Vanderbilt University
Bruce Weisman, Associate Director, Vanderbilt University
 
Join us as we explore our department’s overhaul of our audit process in order to streamline procedures and increase productivity. In order to accomplish our objectives, we revised our audit templates, implemented data analytics, started time tracking, re-formatted our audit reports, and commenced a follow-up process. As a result, our team (six auditors, two directors and one AVC) completed more than 30 projects in fiscal year 2019.  During this session, we will share lessons learned and have roundtable discussions regarding various experiences participants have had within their own audit shop. Come ready for some engaging conversations, and bring along your own ideas and best practices!
 
After this session, participants will be able to:
• Evaluate their audit shops value using the philosophies and tools discussed during the session.
• Implement lean and agile audit techniques and significantly increase productivity.
• Share audit results with varying levels of stakeholders – process owners, executive leadership, and board of trust.
 
Knowledge Level:  Intermediate
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  Experience in internal auditing
 
1:30 P.M. - 3:10 P.M.
Optional Bonus Session 1B: How to Leverage Tableau to Find Travel Fraud
Presenter(s): Aaron Cohen, Forensic Auditor, Georgia Institute of Technology
 
Join us to explore how Tableau can help you identify faculty and staff that may be taking advantage of the travel system. Additionally, it can pinpoint policy violations, and areas that need managerial improvement. Using a data visualization software, such as Tableau, will help you key into who is a problematic traveler, quickly review travel allegations, and give you the tools you need to be proactive in combatting fraud.
 
After this session, participants will be able to:
• Describe how to increase travel review efficiencies.
• Identify common fraud red flags associated with travel.
• Apply data visualization tools to identify target populations of faculty and staff.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Specialized Knowledge
Prerequisites:  None
 
3:25 P.M. - 5:05 P.M.
Optional Bonus Session 2A: Training for the Trenches - Implementing Fraud Awareness Training at Your Organization
Presenter(s): Laura Ling, Audit Manager, University of Florida
 
Employees who approve P-card transactions, time and expense reports, and purchase requisitions are often best situated to prevent and detect fraud.  Unfortunately, these employees are rarely equipped with appropriate anti-fraud training to identify and respond to red flags.  Teaching employees what to look for and empowering them to ask questions and raise concerns can have a significant impact on an organization's fraud prevention program. This class will discuss the University of Florida's recent experience with implementing a Fraud Awareness Training program.  It will include the key components of the fraud awareness training, including case study materials used to help university staff visualize what prior frauds have looked like.  It will also include lessons learned during the first nine months of the Fraud Awareness training program.
 
After this session, participants will be able to:
• Explain the impact employee fraud awareness training can have on preventing and detecting fraud.
• Identify key topics to communicate to employees through fraud awareness training.
• Leverage lessons learned by our organization while rolling out fraud awareness training.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  None
 
3:25 P.M. - 5:05 P.M.
Optional Bonus Session 2B: Applying Analytical Procedures to Labor Cost Transfers in a Banner Environment
Presenter(s): Trevor Hughes, Senior Auditor for Data Analytics, Virginia Tech
 
Labor is normally the largest single cost associated with Federal research grants and contracts.  At Virginia Tech, these costs are normally applied to specific grants through labor cost transfers.  Because this process is how the majority of cost is applied to each award, it is also a critical process to both understand and to audit.  Virginia Tech examined the way that these transactions were being audited and found a way to do so more efficiently, effectively, and with higher quality than had previously been the case.  As part of this process, we re-examined how the data was recorded in Banner and found ways of re-examining Excel formulas that cut the calculation time from hours to minutes and which permitted detailed examination of the largest departments and the automated identification of non-compliant transfers.  This presentation will examine the base ideas of what labor cost transfers are and why they matter, how they are recorded in Banner, and what the analysis revealed.  The largest portion of this presentation will be a discussion of how to reconsider how formulas are structured in Excel and how to make choices that can dramatically affect the overall performance of an analysis.
 
After this session, participants will be able to:
• Explain the purpose of labor cost transfers.
• Analyze data from a Banner system to better audit labor cost transfers.
• Identify problematic labor cost transfers.
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Communications and Marketing
Prerequisites:  None
 
 
7:00 A.M. - 8:00 A.M.
Breakfast / Optional Coffee Talks
Table 1:  Fraud, Hosted by Dyan Hudson, University of Texas System
Table 2:  Hotline Management, Hosted by Will Hancock, Auburn University
Table 3:  Data Analytics, Hosted by Trevor Hughes, Virginia Tech
Table 4:  ACUA and Volunteering, Hosted by Melissa Hall, Georgia Tech
Table 5:  First Time Attendees and New Members, Hosted by Richard Cordova, University of Washington
8:00 A.M. - 9:40 A.M.
A11: Calling all Small Shops
Presenter(s): LaDonna Flynn, Director of Internal Audit, Pittsburg State University
 
We will be polling all ACUA member small audit shops and see what they need help with; i.e. risk assessments, audit programs, governance, etc.  Once the list is complete, we will ask attendees, registered in this session, to bring tools that fit the request for help with them on a flash drive.  The session will focus on discussing the tools and how others can use the tools.  The session will also discuss any areas that others asked for help.  We will be taking minutes of the session.  Once the conference is over, all the attendees would receive a copy of the tools discussed and minutes from the session.  Also, any small audit shop, whether they attended or not, that requested help during the polling, would get a copy of the tools discussed at the conference and minutes of the session.  The tools brought on flash drives will be saved to the presenter’s laptop during the session so the tools can be sent back out after the session.
 
After this session, participants will be able to:
• Explain the value of connecting small audit shops with other small shops to share ideas.
• Discuss how small audit shops can develop strategies to conquer their unique issues.
• Apply new tools to make their small shop more efficient and effective.
 
Knowledge Level:  Overview
Advanced Preparation:  Yes, see Session Description
Field of Study:  Auditing
Prerequisites:  None
 
 
8:00 A.M. - 9:40 A.M.
B11: IT Risks and Opportunities in Academia – Critical Areas and Practices from a Board, Executive Management and Audit Perspective
Presenter(s): Johan Lidros, President, Eminere Group
Patrick Graber, Chief Audit Executive, Board of the Swiss Federal Institutes of Technology
 
 
IT has a growing impact on the Academic institution’s success. The Board and the Audit Committee should be aware about the existing and emerging challenges in this area and the way the institution could use and/or manage them. The audit department plays a central role in identifying these topics and bring them to the attention of the Board and Audit Committee as well as by including appropriate audit areas in its audit plan. The session will also include successful examples of implemented IT risk and governance practices in an Academic environment. The following items will be addressed to help you better identify the topics to be discussed: 
• New technology impact/risks (blockchain, SDN, SDDC, IoT or IoMT, etc.)
• Key 2020 IT risks and opportunities in Academia
• Evolving IT risks to discuss with management/board
• Successful Board and Executive Management IT Governance Practices in Academia
 
After this session, participants will be able to:
• Identify key IT risks and opportunities in an Academic environment.
• Describe trending and successful IT governance and risk management best practices in an Academic environment.
• Discuss IT challenges in an evolving IT risk environment.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Information Technology
Prerequisites:  None
 
 
8:00 A.M. - 9:40 A.M.
C11: Interviewing Techniques for Auditors
Presenter(s): John Grimes, III, Adjunct Faculty, Chief Inspector (RET), CFE,CFI, Stevenson University
 
This presentation will explore forensic interviewing techniques in the pursuit of eliciting truthful information from a variety of interviewees, including suspects. The presentation will discuss interviewing as a craft, which involves best practice steps to achieve interview objectives. In this regard, instruction on interview methods that will assist in breaking down barriers and building trust with uncooperative, reluctant, and hostile interviewees will be offered. Additionally, attendees will learn the proper phrasing of open, clarifying, and direct questions to assist in detecting truth, deception, and lies, followed by instruction of asking appropriate follow-up questions to lead the interviewee to the truth. Furthermore, the presentation will examine false confession hazards and the interviewer’s role in preventing and spotting a false confession and avoiding claims of coercion and false imprisonment.
 
After this session, participants will be able to:
• Describe forensic interview techniques and other strategies when conducting interviews of a variety of interviewees, including fraud suspects.
• Discuss interview strategies to break down barriers and build trust with uncooperative, reluctant, and hostile interviewees.
• Discuss how to avoid claims of false imprisonment, coercion, and false confessions.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Specialized Knowledge
Prerequisites:  None
 
 
8:00 A.M. - 9:40 A.M.
D11: Strategic Partnering: Building a Winning Platform for Construction Auditing
Presenter(s): Kimberly (Kim) Turner, Chief Audit Executive, Texas Tech University System
Michael Molina, Chief Architect and Associate VP for Facilities Planning & Management, Southern Methodist University
 
Experience the power of audit multiplied through strategic partnering with management. This session examines how Audit’s partnership with Facilities Planning & Construction to develop a multi-faceted construction audit platform produced dramatic results. Cost avoidance and recovery are at an all-time high; the playing field of design professional and contractor partners has widened dramatically; increased competition is helping drive cost savings; and the Facilities office has achieved an unprecedented level of trust across the institution. Board members and senior management value the partnership as a model for the institution.  Participants will interactively plan their next strategic partnership through the lens of examining this strategic partnership’s genesis, division of responsibilities between Audit and Facilities, and impact of the partnership within the governance structure of the institution. In addition, after learning about the operational changes in Facilities, best practices in construction cost compliance, and hot spots, participants will develop a plan to address construction cost risk for their institutions. 
 
After this session, participants will be able to:
• Develop a plan to initiate and structure a strategic partnership with management.
• Articulate a division of responsibilities that protects Audit’s independence and results in proactive change.
• Identify risks related to construction costs and plan audit steps to address them.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  None
 
9:40 A.M. - 10:10 A.M.
Networking / Refreshment Break
10:10 A.M. - 11:50 A.M.
A12: The Power of Partnership: A CAE Roundtable
Presenter(s): Kimberly (Kim) Turner, Chief Audit Executive, Texas Tech University System
 
CAEs have opportunities to develop powerful insight and leverage their work through effective partnerships. Participants will discuss partnering within the audit function, with institutional “level 2” functions, with internal and external subject matter experts, and with senior leadership and the board. This roundtable will provide a moderated and timed environment where CAEs and directors with varying perspectives will discuss, and even challenge, best practices related to internal audit leadership, emerging risks, and university governance, risk management, and control practices. The session will be entirely interactive, consisting of robust group discussion and starting with a pre-conference survey of attendees to gather additional topics of interest.
 
After this session, participants will be able to:
• Discuss and employ best practices in internal audit management.
• Identify partnership opportunities for CAEs within the audit function, with other institutional offices, with senior leaders, and externally.
 
Knowledge Level:  Advanced
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  Experience in an internal audit leadership position
 
10:10 A.M. - 11:50 A.M.
B12: It's Just Someone Else's Computer: Assessing and Understanding Security in Cloud Computing
Presenter(s): Brian Markham, AVP, Information Security, George Washington University
 
Cloud computer is here and it’s here to stay (for a while anyway). Unfortunately, there are still many myths and misunderstandings on how to achieve reasonable security of data in the cloud. The purpose of this session is to dispel some of these myths and review cloud computing technology and how it can be utilized while prioritizing and maintaining effective security controls.
 
After this session, participants will be able to:
• Discuss security fundamentals, specifically as they pertain to cloud applications and infrastructure.
• Explain and evaluate software-as-a-service (SaaS) applications and acceptable industry frameworks.
• Explain and evaluate infrastructure-as-a-service (IaaS) applications and infrastructure and acceptable industry frameworks.
 
Knowledge Level:  Intermediate
Advanced Preparation:  None
Field of Study:  Information Technology
Prerequisites:  None
 
10:10 A.M. - 11:50 A.M.
C12: The Front Porch of the University - Hot Topics in Athletics
Presenter(s): Brian Daniels, Chief Audit and Compliance Officer, University of Tennessee
Timothy Parker, Senior Auditor for Special Projects, Virginia Tech
 
Auditing an intercollegiate athletics department can be intimidating, but it helps if you understand the basic structure of an athletics department, the major areas in which to focus your audits, and the key terms used.  Brian and Tim will combine their knowledge as auditors and auditees of a sizeable NCAA Division I program to share information and answer questions from both perspectives.  Whether you’ve never conducted an audit of athletics and don’t know where to start, are an experienced athletics auditor with insights to share, or simply wondered what actually goes on inside an athletics compliance office . . . don’t leave Baltimore early, join us on Thursday morning!
 
After this session, participants will be able to:
• Better understand areas of greatest risk within an intercollegiate athletics department.
• Confidently develop a meaningful series of audits for athletics.
• Efficiently and effectively deploy IA resources to maximize value.
• Utilize available NCAA resources to prepare for, and assist in, your audits.
• Recognize some of the new hot topics in college athletics.
 
Knowledge Level:  Overview
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  None
 
 
10:10 A.M. - 11:50 A.M.
D12: Everything You Always Wanted to Know about Auxiliaries...and Then Some!
Presenter(s): Toni Stephens, Chief Audit Executive, The University of Texas at Dallas
 
 
If you’ve never taken fund accounting, or if you’re new to higher education, you may have no idea what the heck an Auxiliary is, or you may think it’s that cord we use in our cars if we don’t have Bluetooth.  Auditing Auxiliary Enterprises is similar to auditing in the corporate world, and auditing them can be very fun - but full of risks - including that famous five letter “F” word!
 
After this session, participants will be able to:
• Identify common auxiliary operations at campuses
• Explain common risk and controls across the auxiliary areas
• Discuss common pitfalls and difficulties in conducting auxiliary reviews
 
Knowledge Level:  Basic
Advanced Preparation:  None
Field of Study:  Auditing
Prerequisites:  None
 
5:00 P.M. - 6:00 P.M.
First-time and New Members Reception (invitation only)
First-time attendees and new members are invited to meet and greet the Board of Directors, past presidents, committee chairs and other ACUA leaders and learn what to expect and how to benefit from the activities and educational opportunities provided by ACUA.
 
6:00 P.M. - 7:30 p.m.
Opening Reception
Enjoy the opening of the Exhibit Hall where you can reconnect with longtime ACUA friends and make new ones before visiting area restaurants for dinner on your own. Come for hors d’oeuvres and beverages while you visit with vendors to learn about their products and services and thank them for helping support this conference through participation and funding. Show your school pride by wearing your university/college emblazoned attire!
 
Track A: Leadership, Governance and Risk
Track B: IT/IS, Cybersecurity and Data Privacy
Track C: Research and Compliance
Track D: Special Topics